Don't accept all SP requests when allow_unsigned_verification_requests is true

We should still check whether the SP is allowed to verify the attributes
it asks for, even though the SP's identity is not established.

Author: sietseringers

build.gradle

@@ -2,7 +2,7 @@ apply plugin: 'war'
 apply plugin: 'org.akhikhl.gretty'
 apply plugin: 'eclipse-wtp'
 
-version = "1.1.0"
+version = "1.1.1"
 
 import org.gradle.internal.os.OperatingSystem;
 

src/main/java/org/irmacard/api/web/ApiConfiguration.java

@@ -93,13 +93,7 @@ public boolean isIssuingEnabled() {
 	}
 
 	public boolean canVerifyAttribute(String sp, AttributeIdentifier attribute) {
-		/* If allow_unsigned_verification_requests is true, then the service provider's
-		 * name might be unknown (see VerificationResource#newSession()), so it makes
-		 * no sense to insist here that it is present in the list of authorized verifiers. */
-		if (allow_unsigned_verification_requests)
-			return true;
-
-		if (!authorized_sps.containsKey(sp))
+		if (!allow_unsigned_verification_requests && !authorized_sps.containsKey(sp))
 			return false;
 
 		ArrayList<String> attributes = authorized_sps.get(sp);